The Complete Guide to Nonprofit Website Security (2025)

Every day, nonprofits face a harsh reality: hackers don't care about your mission. While you're focused on feeding the hungry, protecting the environment, or advocating for those who need a voice, cybercriminals see your website as an opportunity.

A security breach doesn't just cost money to fix – it can destroy the trust you've spent years building with your community. When donors lose confidence in your ability to protect their information, some never come back.

We understand that website security probably isn't why you got into nonprofit work. You're here to make a difference, not to worry about hackers and malware. But protecting your website means protecting your ability to serve your mission. Without a secure digital presence, your programs, your donors, and your community all become vulnerable.

The good news? You don't need to become a tech expert (or spend thousands of dollars) to keep your website secure. This guide breaks down practical, budget-friendly security measures that any nonprofit can implement. We'll skip the tech jargon and focus on clear steps you can take starting today.

Whether you're a one-person operation or have a small team, these strategies will help you build a fortress around your digital presence without breaking the bank or your spirit.

Why Nonprofit Website Security Matters More Than Ever

You're Not Too Small to Be a Target

Many nonprofit leaders think their organizations are too small to attract hackers' attention. This dangerous assumption leaves countless organizations vulnerable. The truth is that hackers often specifically target nonprofits because they know these organizations typically have fewer resources for security and less technical expertise on staff.

Here are some alarming statistics to show you how frequently nonprofits fall victim to security breaches:

27% of nonprofits have experienced at least one cyber attack
60% of nonprofits have experienced a cyberattack within the past two years
Nonprofits experience an average of 1,636 cyber attacks each week

That’s because hackers see nonprofits as easy targets with valuable prizes. Your donor database contains names, addresses, email addresses, and often credit card information – everything needed for identity theft. Even if you don't store payment information directly, your email lists and donor contact information are valuable to spammers and scammers.

The Trust Factor

When donors give to your organization, they're not just supporting your mission – they're trusting you with their personal information. A single security breach can shatter that trust instantly. Once donors feel their information isn't safe with you, winning them back becomes incredibly difficult, or sometimes impossible.

The average cost of cyber attacks on nonprofits is cited as high as $2 million, including costs associated with data recovery, legal fees, reputational damage, and efforts to rebuild trust.

The ripple effects extend far beyond immediate donation losses. News of a security breach spreads quickly through social media and community networks. Potential grant funders may question your organization's professionalism and ability to manage resources responsibly. Your board members might face difficult questions about oversight and due diligence.

The Good News

Before you close your laptop in despair, take a deep breath. Securing your nonprofit website doesn't require a computer science degree or a massive budget. Many of the most effective security measures are completely free. Others cost less than a monthly coffee subscription. The key is knowing where to focus your efforts and taking consistent, small steps forward.

For more information about building trust through your website:

Understanding the Main Security Threats to Nonprofits

Common Attack Methods (Explained Simply)

31% of nonprofit managers don’t understand key cybersecurity risks. That’s why we’ve set out to demystify what hackers actually do to compromise websites. Understanding the key types of threats helps you protect against them, just like knowing how burglars operate helps you secure your home.

Malware and Viruses: These work like digital infections, sneaking onto your website through vulnerabilities. Malware and viruses can steal information, redirect visitors to dangerous sites, or use your server to attack others.
Phishing: Phishing is an attempt to deceive people into revealing passwords or sensitive information by pretending to be legitimate communications from your organization.
Brute Force Attacks: These are like someone trying every possible key to open a lock. Hackers use automated programs to guess passwords thousands of times per second until they find the right one.
SQL Injections: These attacks exploit weaknesses in your website's database connections, potentially giving hackers access to all your stored information.
Cross-Site Scripting: This method allows attackers to inject malicious code into your web pages, which then runs in your visitors' browsers.
Social Engineering: This is a tactic to manipulate people rather than technology. An example is a hacker calling your office pretending to be your web hosting company and asking for login credentials.

Google's Safe Browsing Transparency Report

You can enter your URL into Google’s Transparency Report to check if your nonprofit website is flagged as dangerous.

What Hackers Want from Your Site

Understanding hackers' motivations helps you prioritize your security efforts. They're not targeting your nonprofit out of malice toward your mission – they're looking for valuable resources they can exploit.

Here’s what they’re after (and how it affects your nonprofit):

Payment Information: This is at the top of their wish list. Even if you use secure third-party payment processors, hackers might try to intercept information during transactions or redirect donations to their own accounts.
Personal Data: Identity theft comes second. Names, addresses, birthdates, and email addresses can be sold on the dark web or used directly for fraudulent activities.
A Platform for Malware: Some hackers want to use your website to spread malware to your visitors. They inject malicious code that infects anyone who visits your site, turning your nonprofit into an unwitting accomplice in their schemes. Malware steals personal information so hackers can profit through theft, extortion, or selling access to these compromised systems.
Your Email List: Others target your email lists to send spam or phishing emails using your nonprofit’s credibility, damaging your reputation and putting your supporters at risk. Spam can be used to advertise shady products or services, while phishing campaigns are used to steal sensitive information, like passwords or financial details. If your domain gets blacklisted, your ability to communicate with supporters will be disrupted, further destabilizing your organization.
Access to Your Social Media: Your integrated social media accounts present another attractive target. Gaining access to your Facebook or Twitter accounts through your website allows hackers to spread misinformation or scams to your entire follower base.

Warning Signs Your Site May Be Compromised

Early detection can mean the difference between a minor inconvenience and a major crisis. Watch for these warning signs that something might be wrong with your website:

Slow Performance: An abrupt change to your website’s performance often indicates hidden malware consuming your server resources. If your website suddenly takes much longer to load without any changes on your end, investigate immediately.
Strange Pop-Ups or Redirects: These are obvious red flags. Your nonprofit website should never show casino ads or redirect to suspicious sites.
Unexpected Changes to Your Content: Content changes might be subtle at first. Check for new pages you didn't create, modified text, or added links to external sites.
Suspicious User Accounts: New accounts appearing in your content management system suggest someone has gained administrative access. Regular reviews of user accounts can catch this early.
Unusual Traffic Patterns in Your Analytics: Suspicious traffic patterns, like sudden spikes from unfamiliar countries or at odd hours, often indicate bot attacks or other malicious activity.

Keep in mind that Google warnings in search results will devastate your traffic and credibility. When Google detects malware on your site, it displays scary warnings that stop visitors before they even reach your homepage.

Building Donor Confidence: Lessons from St. Jude's Security Seals

When visitors land on a donation page, like St. Jude's, they're looking for reassurance that their sensitive information and hard-earned money are safe. St. Jude effectively builds this trust by prominently displaying security badges like the Charity Navigator and BBB (Better Business Bureau) seals. These aren't just pretty logos – they're independent endorsements confirming the organization's financial health, accountability, and ethical practices.

Coupled with a clear link to a comprehensive privacy policy and an accessible FAQ section, these elements work together to alleviate donor concerns. When donors feel secure, they are more likely to complete their donation.

screenshot of the trust signals on St. Jude's website donation page

For more information about monitoring your website's health:

Essential Security Measures Every Nonprofit Should Implement

Think of software updates like vaccines for your website. They protect against known vulnerabilities that hackers actively exploit. When developers discover security holes, they release updates to fix them. But these updates only work if you actually install them.

Regularly Update Your CMS and All Software Components

Your content management system (like WordPress, Drupal, or Joomla) needs regular updates. So do all your plugins, themes, and any other software components. Hackers maintain databases of known vulnerabilities in older versions and use automated tools to find websites still running outdated software. It's like leaving your doors unlocked in a neighborhood where everyone knows you're away.

Implement Automatic Updates

Setting up automatic updates removes the burden of remembering to check manually. Most modern content management systems offer this option. Yes, occasionally an update might cause a small glitch, but that's far better than giving hackers an open invitation. Create a simple spreadsheet to track what needs updating and when you last checked each component.

Use Strong Passwords and Authentication

Protecting your nonprofit’s accounts starts with smart password practices. These simple habits and tools make it harder for hackers to break in so your team can stay secure:

Create Strong Passwords: Weak passwords are like using a paper chain to lock your door. "Password123" or your organization's name won't keep anyone out. Strong passwords combine uppercase and lowercase letters, numbers, and symbols in patterns that don't relate to dictionary words or personal information.
Enable Two-Factor Authentication: This type of authentication adds an additional layer of security by requiring a second form of verification beyond your password. Even if someone steals or guesses your password, they can't access your account without that second factor – usually a code sent to your phone. This simple step blocks the vast majority of unauthorized access attempts.
Use Password Managers: Managers solve the impossible task of remembering dozens of complex passwords. Tools like Bitwarden offer free nonprofit plans that let your team generate and store strong, unique passwords for every account. Regular password rotation means changing passwords every few months, especially for high-privilege accounts like administrators.

Choose Secure Hosting

Your web hosting provider serves as the foundation of your website security. Choosing the cheapest option often means sacrificing crucial security features. But you don't need the most expensive hosting either – you just need hosting that takes security seriously.

Look for providers that offer automated backups, SSL certificates, firewalls, and malware scanning as standard features. Shared hosting (where your site lives on a server with many others) costs less but can expose you to risks from neighboring sites. Dedicated or virtual private server hosting provides better isolation but costs more. Many nonprofits find managed WordPress hosting offers the best balance of security and affordability.

Vetting Potential Providers

Questions to ask potential hosting providers include:

How often do you update server software?
What if my site gets hacked?
Do you provide automatic backups?
What security monitoring do you include?
How quickly do you respond to security incidents?

Their answers reveal whether they'll be partners in your security efforts or leave you to figure things out alone.

Install an SSL Certificate

SSL encrypts data traveling between browsers and your server, preventing hackers from intercepting sensitive information like passwords or credit card numbers. Unfortunately, 15% of nonprofits do not have an SSL certificate on their website.

Many hosting providers now include free SSL certificates through Let's Encrypt. Setting one up usually takes just a few clicks in your hosting control panel.

Check Your Site Security

To ensure this protection is in place, check that your website URL begins with “https://” instead of “http://.” The “s” stands for “secure” and indicates that your site uses SSL encryption to safeguard information submitted through your website, such as donation amounts, contact details, or login credentials.

Previously, most browsers indicated a secure HTTPS connection by showing visitors a padlock icon in their address bar. However, Google Chrome has replaced the lock icon with a “tune” icon, and many other browsers have followed suit.

Now, you can click the tune icon in the browser’s address bar to check that your connection is secure.

screenshot of security information shown in the browser address bar for nonprofit Unicef

Clicking “Connection is secure” should show you that your certificate is valid.

screenshot of the connection security notice shown in the browser address bar for nonprofit Unicef

Beyond security, SSL certificates affect how people perceive your organization. Modern browsers display "Not Secure" or “Not Private” warnings for sites without SSL, immediately undermining visitor confidence.

example of a "your connection is not private" warning from Google Chrome

Google also favors secure sites in search rankings, meaning SSL directly impacts how many people find your organization online.

Regular Backups

Backups are your safety net when everything else fails. They let you restore your website to a working state after a hack, technical failure, or human error. Yet many nonprofits discover their backups don't work only when they desperately need them.

Here are some best practices to follow:

Enable Automated Backup Solutions: Automated backups remove the risk of forgetting this crucial task. Your hosting provider might include automatic backups, or you can use plugins or services designed for this purpose.
Ensure Backups Run Regularly: Schedule them to run daily for frequently updated sites or weekly for others.
Test Your Backup Restoration Process: Do this before you need it to prevent nasty surprises during emergencies. Practice restoring a backup to a test environment at least quarterly.
Store Backups Separately From Your Main Website: If hackers compromise your server, they shouldn't be able to delete your backups too. Cloud storage services or off-site backup solutions provide this critical separation.

User Permissions and Access Control

Here are some best practices to follow when auditing user permissions:

Follow the Principle of Least Privilege: Not everyone needs full administrative access to your website. The principle of least privilege means giving people only the permissions they need for their specific tasks. A volunteer updating blog posts doesn't need the ability to install plugins or change security settings.
Perform Regular Audits of User Accounts: Regular audits prevent security risks from accumulating over time. That intern from three summers ago probably shouldn't still have login credentials. We recommend doing this monthly. Be sure to remove access for anyone no longer actively involved with your organization. It feels awkward, but it's necessary.
Create Role-Based Access Levels: Role-based access helps manage permissions systematically. Most content management systems offer predefined roles like Administrator, Editor, Author, and Contributor. Understand what each role can do and assign people to the appropriate level.
Document Who Has What Access and Why: Be sure to update this documentation whenever changes occur.

Building Donor Trust with Security Indicators

Security theater – making security visible without actually improving it – won't help your nonprofit. But legitimate security indicators can reassure donors that you take their protection seriously. The challenge is how to communicate security without causing unnecessary alarm.

Be Authentic

Display security badges and certifications authentically. If you process payments through PayPal or Stripe, their security badges belong on your donation page. If you've achieved PCI compliance or other security certifications, mention them in your privacy policy or donation FAQ. But don't clutter your site with meaningless "secure" graphics that don't represent real security measures.

Be Transparent

Transparency about your security practices builds confidence. Consider adding a brief security statement like this one to your donation page:

"Your security matters to us. We use industry-standard encryption to protect your information and never store credit card details on our servers."

This reassures without overwhelming donors with technical details.

Real-World Security: Badges That Build Confidence

When visitors see familiar symbols like the Charity Navigator, BBB (Better Business Bureau), and Candid badges at the bottom of a nonprofit website – like the ones at the bottom of American Cancer Society’s website – it's like a seal of approval that instantly builds trust. These badges tell supporters that independent organizations have thoroughly reviewed your operations, finances, and transparency.

screenshot of security badges featured on the website of nonprofit American Cancer Society

Knowing that an impartial third party has verified your legitimacy and practices helps supporters feel more confident that their interaction with your site is secure and that you will use their donation wisely.

For more information about building trust and managing website costs:

Protecting Online Donations and Payment Processing

Understanding PCI Compliance

Payment card industry (PCI) compliance sounds intimidating, but it simply means following security standards created by credit card companies to protect payment data. Every organization that accepts credit cards must follow these standards, including small nonprofits. The good news is that reputable third-party payment processors handle most compliance requirements for you.

PCI Best Practices

Think of PCI compliance like food safety standards in a restaurant. You don't need to understand every technical detail, but you do need to follow basic practices.

For most nonprofits, best practices mean:

Never storing credit card numbers
Using secure payment forms
Choosing payment processors that maintain their own PCI compliance
Using secure, encrypted connections for all payment processing
Restricting access to payment data
Regularly monitoring your payment systems

When you use embedded payment forms from processors like PayPal or Stripe, they handle the technical requirements while you focus on the user experience.

PCI Compliance Checks

Regular compliance checks ensure you maintain standards over time. This might be as simple as annually reviewing your payment processor's compliance status and confirming you're using their latest integration methods. Many processors provide compliance questionnaires designed for small organizations that help identify any gaps.

Securing Your Donation Forms

The donation form on your donation page represents the most critical security point on your website. Donors need to feel confident entering payment information, and you need to ensure that information stays protected throughout the process. The approach you choose dramatically impacts both security and donor experience.

Third-Party Versus Embedded Payment Forms

Third-party payment forms redirect donors to the payment processor's secure site to complete transactions. While highly secure, this approach can confuse donors who suddenly find themselves on a different website.

Embedded payment forms keep donors on your site while still processing payments securely through providers like Stripe or PayPal. This seamless experience typically results in higher donation completion rates.

How to Check If Your Donation Form Is Secure

Testing your donation security in these ways should become a regular practice:

Make a small test donation quarterly to ensure the process works smoothly and securely.
Make sure confirmation emails arrive properly.
Check that SSL certificates display correctly.
Ensure no error messages appear that might concern donors.
Document any issues and address them immediately.

Common Vulnerabilities to Watch Out for

Prevalent security vulnerabilities include:

Outdated payment plugins
Custom-coded forms that don't follow security best practices
Storing sensitive information in form submissions or email confirmations.

If your donation process emails you complete credit card numbers or saves them anywhere on your server, stop immediately and switch to a secure processor.

Payment Data Protection

The golden rule of payment data protection is simple: never store credit card information on your servers. Not in your database, not in emails, not in spreadsheets – nowhere. Let payment processors handle this responsibility with their bank-level security systems.

How Tokenization Works

Tokenization replaces sensitive payment data with unique identification symbols that retain essential information without compromising security. When a donor saves their payment information for recurring gifts, you store only a token that references their data held securely by your payment processor. Even if hackers steal these tokens, they're useless without access to the processor's systems.

How to Handle Donor Receipts Securely

Follow these secure receipt and confirmation processes:

Never include full credit card numbers on email receipts. At most, show only the last four digits.
Store donation records with amounts and donor information, but never payment details.
Train all staff handling donation data on these critical boundaries.

For more information about optimizing your donation process:

Advanced Security Measures for Growing Organizations

Web Application Firewall

A Web Application Firewall (WAF) acts like a security guard for your website, examining all incoming traffic and blocking suspicious requests before they reach your server. Unlike regular firewalls that protect networks, WAFs specifically protect web applications by filtering HTTP/HTTPS traffic.

For nonprofits, WAFs provide protection against common attacks without requiring deep technical knowledge. They block SQL injection attempts, cross-site scripting, and other malicious traffic automatically. Many identify and stop attacks you might never know were happening, like automated bots probing for vulnerabilities.

Basic Versus Paid Services

Free options like Cloudflare offer basic WAF protection suitable for many small nonprofits. Paid services provide more advanced features and customization options. The beauty of modern WAFs lies in their simplicity – once configured, they work silently in the background, learning from attack patterns across millions of websites to protect yours.

Basic configuration typically involves pointing your domain's DNS to the WAF service, which then filters traffic before forwarding legitimate visitors to your actual server. Most services offer preset rules optimized for common content management systems, making initial setup straightforward even for non-technical users.

Security Plugins and Tools

Security plugins transform complex security tasks into simple checkbox operations. For WordPress sites, plugins like Wordfence or Sucuri Security provide comprehensive protection including malware scanning, firewall rules, and login attempt monitoring. Similar tools exist for other content management systems.

Look for features like:

Real-time threat detection
Automatic malware removal
Firewall protection
Security activity logging

The best plugins also offer login security features like limiting login attempts and alerting you to unauthorized access attempts. Many include free versions with paid upgrades for advanced features.

Setting up security scans should involve both automated regular scans and manual checks when you make significant changes. Configure alerts to notify you immediately of critical issues while batching less urgent notifications into daily or weekly summaries. This balance keeps you informed without overwhelming your inbox.

Content Delivery Networks (CDNs)

CDNs do double duty for nonprofits – improving both security and performance. By distributing your website content across servers worldwide, CDNs protect against distributed denial of service (DDoS) attacks that try to overwhelm your server with traffic.

content delivery network infographic from GTmetrix — *Image from* *GTmetrix*

They also make your site load faster for visitors everywhere. In fact, websites that implement a CDN often see load time reductions of 50% or more.

Free CDN options for nonprofits include Cloudflare's free tier, which provides basic DDoS protection and performance improvements. Implementation typically requires changing your domain's nameservers – a process that sounds technical but usually involves copying and pasting a few values in your domain registrar's control panel.

Beyond security, CDNs offer performance benefits that directly impact your mission. Faster loading times mean higher donation completion rates and better user engagement. Visitors in different geographic regions experience your site as if it were hosted nearby, eliminating the frustration of slow-loading pages that might cause them to leave before donating or learning about your programs.

VPN Usage for Remote Teams

Virtual Private Networks (VPNs) create encrypted tunnels between remote computers and your network. This is essential when staff or volunteers access sensitive systems from home or public WiFi. Think of a VPN as a secure, private road between locations on the public internet highway.

Nonprofits need VPNs primarily when team members access administrative areas of websites, donor databases, or other sensitive systems remotely. Free and affordable options include ProtonVPN's free tier or TunnelBear for small teams. Paid services like NordLayer offer centralized management for larger organizations.

Setting up VPN access for admin areas involves configuring your website to accept connections only from your VPN's IP addresses for sensitive operations. This means even if someone steals an administrator's password, they can't access your systems without also being on your VPN.

Training remote staff requires simple instructions: connect to VPN before accessing any organizational systems. Disconnect when finished.

IP-Based Security Measures

IP restrictions add another layer of security by limiting access to sensitive areas based on internet addresses. Like a guest list at an exclusive event, you specify which IP addresses can access your website's administrative sections. This works particularly well for organizations with staff working from consistent locations.

Whitelisting

Whitelisting IP addresses for admin access means creating an approved list of addresses that can reach your login pages or administrative interfaces. If your team works from an office with a static IP address, this provides excellent protection. Remote workers can use VPNs to connect through approved addresses.

Restricting Access

Blocking suspicious geographic locations helps prevent attacks from regions where you have no legitimate users. If your local food bank only serves communities in Ohio, blocking administrative access from other countries reduces your attack surface without impacting your mission.

However, implement such blocks carefully to avoid accidentally excluding legitimate users traveling or using VPNs for their own security.

Social Media Integration Security

Social media plugins and integrations create potential vulnerabilities by connecting external services to your website. Each integration represents another potential entry point for attackers. That Facebook feed or Instagram gallery might look great, but it needs proper security consideration.

Secure social login implementation lets supporters use their Facebook or Google accounts to access member areas of your site without creating separate passwords. When done correctly, this improves both security and user experience. However, poor implementation can expose your site to compromised social media accounts.

Social Media Security: Best Practices

Best practices for social media feeds include:

Using official plugins from reputable developers
Keeping integrations updated
Regularly reviewing connected accounts
Revoking access and regenerating any API keys or access tokens if a staff member who managed your social media leaves

For more information about comprehensive website evaluation:

Creating a Security-First Culture at Your Nonprofit

Staff and Volunteer Training

95% of data breaches are caused by human error. That’s why building strong security habits among your team matters more than any technical solution. The most sophisticated security systems fail when someone clicks a malicious link or shares their password.

Creating a security-conscious culture doesn't require turning everyone into tech experts – it means helping them understand their role in protecting your organization and the people you serve.

Start with basic security awareness topics that relate directly to daily work:

Demonstrate the damage a security breach could cause to your programs and the communities you serve. Make security personal rather than abstract.
Show what legitimate password reset emails from your systems look like versus fake ones.
Explain how to recognize phishing emails using real examples relevant to nonprofits.

Here’s an example of a phishing email from Hook Security:

phishing email example from Hook Security — *Image from* *Hook Security*

The Federal Trade Commission offers advice on how to recognize and avoid phishing scams so you can protect yourself and your organization.

Positive Approaches to Security

Positive reinforcement around security behaviors works better than fear-based approaches. Here are some key ways to build positive reinforcement:

Make security part of your regular team meetings with brief reminders and updates.
Share news about security breaches at other nonprofits (sensitively) to reinforce why these practices matter.
Celebrate security wins, like when someone reports a suspicious email instead of clicking it.

Onboarding new staff and volunteers should always include security training tailored to their role. A volunteer updating your blog needs different security knowledge than someone processing donations. Create role-specific security checklists that new team members review and sign, confirming they understand their security responsibilities.

Documentation and Procedures

Clear documentation transforms good security intentions into consistent practices – and yet 32% of nonprofits lack a clear website security plan.

If you’re feeling overwhelmed, start by documenting the basics:

Who has access to what
Where passwords are stored
How to report security concerns

This documentation doesn't need to be complex – a simple shared document works fine as long as it's kept updated and accessible to those who need it.

Create an Incident Response Plan

Your incident response plan outlines exactly what to do if something goes wrong. Create step-by-step instructions anyone can follow, including:

Who to contact first (plus after-hours numbers)
How to temporarily take the site offline if needed
Where backup files are located
Which board members need notification

Test this plan quarterly by walking through it without actually executing the steps.

Update Emergency Contact Information

Emergency contact information should include:

Your web hosting provider's security team
Your web developer or agency
Your payment processor's fraud department
Any security consultants you work with
Internal contacts like your executive director, board chair, and communications lead

Keep this list updated and accessible even if your website goes down. Print copies or store in multiple locations.

Implement Regular Security Drills

These don't need to be disruptive. Simple exercises like sending fake phishing emails (with advance notice that a test is coming) help team members practice identifying threats. Walk through your incident response plan verbally during staff meetings. These practices build muscle memory for real incidents.

Working with Developers and Vendors

Your website security depends heavily on the developers and vendors you choose to work with. Asking the right questions before hiring helps avoid security problems later. Don't feel embarrassed about not understanding all the technical details – good developers explain security in terms you can understand.

Essential security questions to ask potential vendors include:

How do you keep sites secure during development?
What security measures do you build into every site?
How do you handle security updates after launch?
What happens if a site you built gets hacked?
Have you worked with nonprofits before?
Do you understand our unique security needs?

Red flags include dismissive attitudes toward security concerns, reluctance to explain their practices, or promises that security is "never a problem" with their sites.

Security Standards in Contracts

Requiring security standards in contracts protects both parties. Include requirements for:

Secure coding practices
Regular security updates during any maintenance period
Prompt notification of discovered vulnerabilities
Clear handoff procedures including all passwords and documentation

Don't sign contracts that disclaim all responsibility for security issues.

For more information about choosing the right development partner:

Responding to Security Incidents

Discovering your website has been compromised triggers panic, but having a clear action plan helps you respond effectively.

Immediate Steps to Take if You're Hacked

First, take a deep breath. Then work through your response checklist methodically. Quick but thoughtful action minimizes damage, while panicked reactions often make things worse.

Here are the steps we recommend to contain the damage and preserve the evidence. These should be your immediate priorities:

Go Offline: If possible, take your site offline temporarily to prevent further harm to visitors or data theft.
Reach Out: Contact your hosting provider's security team. They've handled similar situations and can guide you through their specific procedures.
Update Passwords: Change all passwords related to your website, starting with hosting and administrative accounts.
Document Everything: Document all your observations about the compromise. Include when you discovered it, what symptoms you noticed, any suspicious files or changes, unusual user accounts, or strange traffic patterns.
Take Screenshots: Screenshots of anything abnormal can serve as evidence to help security professionals understand what happened and prevent future incidents. They also provide necessary documentation for any required notifications or insurance claims.

Communication with Stakeholders

Deciding when and how to notify donors and supporters about a security incident requires balancing transparency with avoiding unnecessary alarm. If personal data or payment information was potentially compromised, legal requirements often dictate notification timelines and methods. Even without legal obligations, ethical considerations usually favor disclosure.

Here are some tips for crafting these communications:

Acknowledge the situation honestly while reassuring stakeholders about your response.
Explain what happened in simple terms, including what information was potentially affected, steps you've taken to address the issue, and what supporters should do to protect themselves.
Avoid technical jargon or blame-shifting.
Take responsibility while demonstrating a competent response.

Sample communication templates should include initial notification emails, website banners, social media posts, and phone scripts for concerned donors who call. Prepare these templates in advance, during calm times, so you're not writing under pressure during an actual incident. Have your board chair or executive director review and approve templates before you need them.

Recovery and Prevention

Cleaning your site after a hack requires methodical work to ensure you remove all malicious code while preserving your legitimate content. Professional security services can expedite this process, but many nonprofits successfully clean compromised sites themselves with patience and careful attention. Your hosting provider might offer cleaning services or recommend trusted professionals.

Recovery Process

Recovering after a hack typically involves:

Restoring from a clean backup (if available)
Manually removing malicious files
Updating all software to latest versions
Changing all passwords and access keys
Scanning thoroughly to ensure complete cleanup

Don't rush this process – a partially cleaned site often gets reinfected quickly.

Post-Incident Review

Learning from the experience prevents future incidents. Conduct a thoughtful post-incident review asking:

How did the breach occur?
What early warning signs did we miss?
Which security measures could have prevented this?
What worked well in our response?
What should we do differently?

Update your security procedures based on these lessons, sharing insights with your team to build collective knowledge.

For more information about privacy and security compliance:

Budget-Friendly Security Resources for Nonprofits

The technology community recognizes that nonprofits need robust security despite limited budgets. Many companies offer free or deeply discounted security tools through programs designed specifically for charities. Taking advantage of these resources stretches your security budget dramatically.

Here are some free and discounted tools to consider:

Google for Nonprofits: This resource includes security features like advanced phishing and malware protection for Gmail, security key enforcement for high-risk accounts, and alert systems for suspicious activity.
Microsoft's Nonprofit Solutions: Similar benefits are available through Microsoft 365, including advanced threat protection and security monitoring tools typically reserved for enterprise customers.
Open-Source Security Solutions: These offer professional-grade protection without licensing fees. Tools like ClamAV for virus scanning, Fail2ban for intrusion prevention, and OpenVAS for vulnerability assessment provide enterprise-level security capabilities. While these require more technical setup than commercial alternatives, many nonprofits successfully implement them with volunteer technical assistance.
TechSoup: This nonprofit network aggregates discounted security software for nonprofits, offering commercial security suites at a fraction of retail prices. Their catalog includes endpoint protection, backup solutions, and security training resources. Eligibility verification ensures only legitimate nonprofits access these discounts, but the application process is straightforward.

Comparing Google Workspace Features

Compare features and prices to determine the best security platform for your nonprofit. For example, Google’s “Compare Google Workspace features for nonprofits” page features various charts so you can see exactly which security and management controls are included in the free program for nonprofits versus their other paid programs.

Only 2-step verification is automatically included as a basic security feature. However, you’ll also get professional email addresses (you@yournoprofit.org), enterprise-grade security and privacy through the Gemini app, and more at no cost.

screenshot of a chart from Google Workspace comparing security features among various plans

Grants and Funding for Security

Security improvements qualify for many technology grants, though funders rarely offer security-specific programs. The key lies in framing security as essential infrastructure supporting your mission delivery. Explaining how security protects donor data, ensures service continuity, and maintains community trust resonates with funders who might not otherwise consider technical requests.

Writing Grant Proposals

When writing grant proposals, connect security investments directly to program outcomes. Examples include:

"Secure online donation processing increases donor confidence, directly supporting our campaign to build new shelter beds."
"Protecting our volunteer database ensures we can maintain the community connections essential to our meal delivery program."

These connections help funders understand security as mission-critical rather than overhead.

Securing Buy-In for Cybersecurity Investment

Making the case for security investment works best with concrete examples and specific budget items. Instead of requesting "website security improvements," itemize specific needs:

"SSL certificate and configuration ($200)”
“Security monitoring service ($50/month)”
“Staff security training workshop ($500)”
“Secure backup system implementation ($300)”

This transparency helps funders understand exactly how their investment protects your organization.

Security Communities and Support

Online communities provide invaluable security support for resource-constrained nonprofits. The Nonprofit Technology Network (NTEN) community includes security discussions and peer advice from organizations facing similar challenges. TechSoup's community forums offer practical security guidance from both professionals and experienced nonprofit technologists.

Many cities have nonprofit technology meetups or user groups where you can get free security advice and sometimes hands-on help. These informal networks often prove more valuable than paid consultants because participants understand nonprofit constraints and culture. Search for "nonprofit technology" or "NetSquared" groups in your area.

Volunteer technical assistance programs match skilled professionals with nonprofits needing help. Organizations like TechSoup's volunteer program, Taproot Foundation, and local United Way volunteer centers can connect you with security professionals willing to donate their expertise. Building relationships with technical volunteers creates ongoing support beyond one-time projects.

For more information about budgeting and resources:

Maintaining Long-Term Security

Security isn't a one-time project but an ongoing practice requiring consistent attention. Creating manageable routines ensures critical tasks don't fall through the cracks while preventing security maintenance from overwhelming your other responsibilities. The key lies in breaking security tasks into digestible chunks spread throughout the month.

Weekly Security Checks

Weekly security checks should take no more than 15 minutes:

Review any security alerts from your hosting provider or security plugins.
Check that automated backups ran successfully.
Glance at your website to ensure nothing looks obviously wrong.

These quick checks catch problems early before they escalate.

Monthly Security Checks

Monthly tasks dig slightly deeper:

Review user accounts and remove any that are no longer needed.
Check for available updates to your content management system, plugins, and themes.
Test your donation process to ensure it's working securely.
Generate and review basic security reports from your security plugins.
Document any issues or changes in your security log.

Quarterly Security Checks

Quarterly reviews involve more comprehensive evaluation:

Test restoring a backup to ensure your backup system actually works.
Review and update security documents and emergency contacts.
Conduct security training refreshers with staff.
Evaluate whether your current security measures still meet your needs as your organization grows.

Annual Security Checks

Annual security assessments provide big-picture evaluation:

Consider hiring a security professional for a thorough vulnerability assessment.
Review and update all security policies and procedures.
Evaluate your hosting provider and other security vendors to ensure they still meet your needs.
Plan and budget for any security improvements needed next year.

Staying Informed

The security landscape changes constantly, but you don't need to become a security expert to protect your nonprofit. Following a few trusted sources helps you stay aware of important developments without getting overwhelmed by technical details or vendor hype.

Here’s how to stay informed:

Subscribe to Security Bulletins from Your CMS Provider: WordPress, Drupal, and other content management systems send alerts about critical security updates affecting their systems. These focused notifications matter more than general security news because they directly impact your website.
Subscribe to Email Lists: Email lists like TechSoup's nonprofit technology newsletter and NTEN's community updates filter security news through a nonprofit lens. They highlight what matters for organizations like yours while skipping overly technical details. Set up a dedicated email folder for these updates and review them weekly rather than letting them clutter your daily inbox.
Build a Security Knowledge Base: This base will help your organization learn and improve over time. Keep a simple document recording security incidents (even minor ones), solutions that worked, vendors you've used successfully, and lessons learned. This institutional memory proves invaluable when facing new security challenges or bringing new team members up to speed.

Here’s how easy it is to sign up for TechSoup’s nonprofit technology newsletter so you can stay informed about security issues relevant to nonprofits like yours:

Integrating Security with Overall Maintenance

Security works best when integrated into your regular website maintenance rather than treated as a separate task. This integration makes security sustainable and ensures it doesn't get forgotten during busy periods. Think of security as part of keeping your website healthy, not an add-on burden.

Coordinate Security Updates with Other Website Changes

When updating content or adding new features, check for security updates at the same time to minimize disruption. This batching reduces the risk of updates conflicting with each other and makes testing more efficient. It also helps you maintain a clear picture of what changed and when.

Include Security Needs in Your Budget Planning

Planning for security spending prevents financial surprises and ensures you can maintain protection consistently.

Include line items for:

SSL certificate renewal
Security plugin licenses
Backup storage
Potential emergency response costs

Having dedicated security funding, even if modest, means you won't have to choose between security and other mission-critical expenses when issues arise.

For more information about ongoing website care:

The Path Forward: Achievable Security for Every Nonprofit

Website security might not be why you joined the nonprofit sector, but it's essential for continuing your important work. Every security measure you implement protects your ability to serve your community, maintain donor trust, and advance your mission. The good news is that you don't need to become a technology expert or spend thousands of dollars to achieve meaningful security improvements.

Start with one step today. Maybe it's enabling two-factor authentication on your administrator account. Perhaps it's scheduling those software updates you've been postponing. Or it could be having a conversation with your team about password security. Small actions compound into significant protection over time.

Your mission deserves protection, and so do the people who support it. The donors who trust you with their information, the volunteers who give their time, the community members who rely on your services – they all benefit when you take website security seriously. You've already taken the first step by reading this guide. Now it's time to implement these practices.

Remember, perfect security doesn't exist, but good security is absolutely achievable for any nonprofit. Focus on progress, not perfection. Celebrate the security improvements you make rather than feeling overwhelmed by everything left to do. With consistent attention and the practical steps outlined in this guide, you can build a secure digital foundation that supports your mission for years to come.

For essential policies and best practices to support your security efforts: